Security Trends: Quality Over Quantity, Mobile Vulnerabilities and the Cloud

Criminals seem to be taking a quality over quantity approach to malware, phishing and spamming as enterprises face increasingly sophisticated and specialized risks, according to the IBM X-Force 2010 Trend and Risk Report. In 2010, spam and peaked and phishing declined. But total security disclosures increased, and, of course, we saw what happened with Stuxnet.

Stuxnet proved that highly targeted attacks against specialized equipment is no longer a hypothetical threat – it’s a real threat.

Although Stuxnet was the highest profile computer security story of 2010, the Zeus botnet continues to affect far more individuals and organizations. According to the report, Zeus was responsible for stealing more than $1 million from customers of one UK-based financial institution alone. IBM warns that PDF vulnerabilities are a growing way to spread the Zeus trojan, and that FoxIt Reader is not immune to the flaws.

The good news is that phishing in decline. The peak level of phishing in 2010 was less than 1/4 the peak level of phishing over the past two years. The bad news is that “spear phishing” on the rise. Spear phishing is a more targeted form of phishing – the phisher generally poses as someone the victim knows.

Spam peaked in 2010, reaching its highest level in history, and then leveled off. IBM speculates that this is due to spammers seeing less benefit from high volume spamming. Instead, spammers seem to be focusing on bypassing spam filters. Again, quality over quantity is the new rule.

The number of mobile operating system vulnerabilities increased this year, but malware on mobiles is still uncommon. The biggest security risk remains lost or stolen devices.

Web applications accounted for nearly half the vulnerabilities disclosed in 2010. Cross-site scripting and SQL injections are the biggest problems, though cross-site scripting is in decline.

Perhaps the scariest fact in the report, however, is that nearly half the vulnerabilties disclosed remain unpatched.

Although the number of security vulnerabilities in Web applications and hypervisors may be off-putting. IBM thinks cloud security will eventually improve to such a point that it becomes a driver, instead of an inhibitor, of cloud adoption. We’ve been saying much the same here for some time.

Also of note, IBM is opening the Advanced Institute for Security in Europe in Brussels. The goal of the institute is to connect representatives from the government, private sector and academia with IBM security experts in Europe.